identity

package
v0.0.0-...-4940808 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 4, 2021 License: MIT Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func CreateSession 

func CreateSession(region string, role string, creds *credentials.Credentials, id string) (*session.Session, *aws.Config, error)

CreateSession creates a new session for the given role and credentials, tracking with the provided id

Types

type AWSCredentials 

type AWSCredentials struct {
	AccessKeyId     string `json:"AccessKeyId"`
	SecretAccessKey string `json:"SecretAccessKey"`
	SessionToken    string `json:"SessionToken"`
}

AWSCredentials contains the credentials and assumed role data

type GCPCredentials 

type GCPCredentials struct {
	AuthProviderX509CertURL string `json:"auth_provider_x509_cert_url"`
	AuthURI                 string `json:"auth_uri"`
	ClientEmail             string `json:"client_email"`
	ClientID                string `json:"client_id"`
	ClientX509CertURL       string `json:"client_x509_cert_url"`
	PrivateKey              string `json:"private_key"`
	PrivateKeyID            string `json:"private_key_id"`
	ProjectID               string `json:"project_id"`
	TokenURI                string `json:"token_uri"`
	Type                    string `json:"type"`
}

GCPCredentials is the structure of the GCP ServiceAccount credentials

func (*GCPCredentials) Validate 

func (c *GCPCredentials) Validate() error

Validate validates the GCP ServiceAccount credentials against the GCP Public Key

type IAMMap 

type IAMMap struct {
	Source    Identity `json:"source" yaml:"source"`
	Target    Identity `json:"target" yaml:"target"`
	RequestID string   `json:"requestId"`
}

IAMMap contains a single identity mapping and the corresponding request ID for audit log

func (*IAMMap) FindIDinMap 

func (im *IAMMap) FindIDinMap(iamMap []IAMMap) (*IAMMap, error)

FindIDinMap returns the IAMMap for the given source identity this assumes validation has already been performed and the Source identity has the right to assume the Target identity

func (*IAMMap) GetCredentials 

func (im *IAMMap) GetCredentials(vc *vaultclient.VaultClient) (map[string]interface{}, error)

GetCredentials returns the target credentials for the given source identity this performs no vlaidation and assumes the source identity has the right to assume the target identity

type Identity 

type Identity struct {
	ID          string                 `json:"id" yaml:"id"`
	Provider    ProviderName           `json:"provider" yaml:"provider"`
	Region      string                 `json:"region" yaml:"region"`
	Credentials map[string]interface{} `json:"credentials" yaml:"credentials"`
	RequestID   string                 `json:"request_id" yaml:"-"`
}

Identity contains a single identity

func (*Identity) CreateAWSSession 

func (id *Identity) CreateAWSSession() (map[string]interface{}, error)

CreateAWSSession creates a new session using the identity credentials

func (*Identity) GetGCPSAFromVault 

func (id *Identity) GetGCPSAFromVault(vaultClient *vaultclient.VaultClient) (map[string]interface{}, error)

GetGCPSAFromVault returns the GCP ServiceAccount credentials from Vault

func (*Identity) GetK8SSSAFromVault 

func (id *Identity) GetK8SSSAFromVault(vaultClient *vaultclient.VaultClient) (map[string]interface{}, error)

GetK8SSSAFromVault retrieves the configured k8s SSA from vault

func (*Identity) Valid 

func (id *Identity) Valid() bool

Valid checks the identities validity with the given provider

func (*Identity) ValidAWS 

func (id *Identity) ValidAWS() bool

ValidAWS checks if the given credentials are valid against AWS STS

func (*Identity) ValidGCP 

func (id *Identity) ValidGCP() bool

ValidGCP checks if the GCP ServiceAccount credentials are valid

func (*Identity) ValidK8S 

func (id *Identity) ValidK8S() bool

ValidK8S extends the Identity to validate a k8s identity

type K8SIdentity 

type K8SIdentity struct {
	ClusterName     string `json:"clusterName"`
	Namespace       string `json:"namespace"`
	SA              string `json:"sa"`
	JWT             string `json:"jwt"`
	ClusterHost     string `json:"clusterHost"`
	ClusterCA       string `json:"clusterCA"`
	ValidationToken string `json:"validationToken"`
}

K8SIdentity is the identity for a k8s cluster

func (*K8SIdentity) GetValidation 

func (k *K8SIdentity) GetValidation(cluster string, vaultClient *vaultclient.VaultClient) error

GetValidation retrieves the validateion SA token from vault

func (*K8SIdentity) Validate 

func (k *K8SIdentity) Validate() (*v1beta1.TokenReview, error)

Validate validates the k8s identity against the k8s api

type ProviderName 

type ProviderName string

ProviderName contains supported providers 

const (
	ProviderAWS ProviderName = "aws"
	ProviderGCP ProviderName = "gcp"
	ProviderAZR ProviderName = "azr"
	ProviderK8S ProviderName = "k8s"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.